Lesson 4: Increasing Security with EFS

The Microsoft Encrypting File System (EFS) provides encryption for data in NTFS files stored on disk. EFS encryption is public key-based and runs as an integrated-system service, making it easy to manage, difficult to attack, and transparent to the file owner. If a user who attempts to access an encrypted NTFS file has the private key to that file, the file can be decrypted so that the user can open the file and work with it transparently as a normal document. A user without the private key is denied access.

Windows 2000 includes the Cipher command-line utility, which enables you to encrypt and decrypt files and folders from a command prompt. Windows 2000 also provides a recovery agent utility so that if the owner loses the private key, the recovery agent can still recover the encrypted file.


After this lesson, you will be able to

  • Encrypt folders and files

Estimated lesson time: 30 minutes


Understanding EFS

EFS allows users to encrypt NTFS files by using a strong public key-based cryptographic scheme that encrypts all files in a folder. Users with roaming profiles can use the same key with trusted remote systems. No administrative effort is needed, and most operations are transparent. Backups and copies of encrypted files are also encrypted if they are in NTFS volumes. Files remain encrypted if you move or rename them, and encryption isn't defeated by temporary files created during editing and left unencrypted in the paging file or in a temporary file.

You can set policies to recover EFS-encrypted data when necessary. The recovery policy is integrated into the overall Windows 2000 security policy. Control of this policy can be delegated to individuals with recovery authority, and different recovery policies can be configured for different parts of the enterprise. Data recovery discloses only the recovered data, not the key that was used to encrypt the file. Several protections are in place to ensure that data recovery is possible and that no data is lost in the event of a total system failure.

EFS is implemented either from Windows Explorer or from the command line. It can be enabled or disabled for a computer, domain, or organizational unit by resetting recovery policy in the Group Policy console in the MMC.

NOTE


To set group policy for the domain or for an organizational unit, your computer must be part of a Windows 2000 domain.

You can use EFS to encrypt and decrypt files on remote file servers but not to encrypt data that is transferred over the network. Windows 2000 provides network protocols, such as Secure Sockets Layer (SSL) authentication, to encrypt data over the network.

Table 7.6 describes the key features provided by Windows 2000 EFS.

Table 7.6 EFS Features

FeatureDescription
Transparent encryptionIn EFS, file encryption doesn't require the file owner to decrypt and re-encrypt the file on each use. Decryption and encryption happen transparently on file reads and writes to disk.
Strong protection of encryption keysPublic key encryption resists all but the most sophisticated methods of attack. Therefore, in EFS, the file encryption keys that are used to encrypt the file are encrypted by using a public key from the user's certificate. (Note: Windows 2000 uses X.509 v3 certificates.) The list of encrypted file- encryption keys is stored with the encrypted file and is unique to it. To decrypt the file-encryption keys, the file owner supplies a private key, which only the file owner has.
Integral data recoveryIf the owner's private key is unavailable, the recovery system agent can open the file using his or her own private key. There can be more than one recovery agent, each with a different public key, but at least one public recovery key must be present on the system to encrypt a file.
Secure temporary and paging filesMany applications create temporary files while you edit a document, and these temporary files can be left unencrypted on the disk. On computers running Windows 2000, EFS is implemented at the folder level, so any temporary copies of an encrypted file are also encrypted, provided that all files are on NTFS volumes. EFS resides in the Windows operating system kernel and uses the nonpaged pool to store file encryption keys, ensuring that they are never copied to the paging file.

Encrypting

The recommended method to encrypt files is to create an NTFS folder and then "encrypt" the folder. To encrypt a folder, in the Properties dialog box for the folder, click the General tab. On the General tab, click the Advanced button, and then select the Encrypt Contents To Secure Data check box. All files placed in the folder will be encrypted. The folder is now marked for encryption. Folders that are marked for encryption aren't actually encrypted; only the files within the folder are encrypted.

NOTE


Compressed files can't be encrypted, and encrypted files can't be compressed.

After you encrypt the folder, when you save a file in that folder, the file is encrypted by using file encryption keys, which are fast symmetric keys designed for bulk encryption. The file is encrypted in blocks, with a different file encryption key assigned to each block. All of the file encryption keys are stored and encrypted in the Data Decryption Field (DDF) and the Data Recovery Field (DRF) in the file header.

NOTE


By default, encryption provided by EFS is standard 56-bit encryption. For additional security, North American users can obtain 128-bit encryption by ordering the Enhanced CryptoPAK from Microsoft. Files encrypted by the CryptoPAK cannot be decrypted, accessed, or recovered on a system that supports only 56-bit encryption.

You use a file that you encrypted just as you would use any other file. Encryption is transparent. You don't need to decrypt a file you encrypted before you can use it. When you open an encrypted file, your private key is applied to the DDF to unlock the list of file-encryption keys, allowing the file contents to appear in plain text. EFS automatically detects an encrypted file and locates a user certificate and associated private key. You open the file, make changes to it, and save it as you would any other file. However, if someone else tries to open your encrypted file, he or she will be unable to access the file and will receive an "access denied" message.

NOTE


Encrypted files can't be shared.

Decrypting

Decrypting a folder or file refers to clearing the Encrypt Contents To Secure Data check box in a folder's or file's Advanced Attributes dialog box, which you access from the Properties dialog box for the folder or file. Once decrypted, the file remains decrypted until you select the Encrypt Contents To Secure Data check box. The only reason you might want to decrypt a file is if other people needed access to the folder or file; for example, if you want to share the folder or make the file available across the network.

Using the Cipher Command

Windows 2000 also includes command-line utilities for the richer functionality that is required for some administrative operations. The Cipher command-line utility allows you to encrypt and decrypt files and folders from a command prompt.

The following syntax example shows the available options for the Cipher command. Table 7.7 describes these options.

 cipher [/e | /d] [/s:folder_name] [/a] [/i] [/f] [/q] [/h] [/k] [file_name [...]] 

Table 7.7 Cipher Command Options and Descriptions

OptionDescription
/eEncrypts the specified folders. Folders are marked so that files that are added later will be encrypted.
/dDecrypts the specified folders. Folders are marked so that files that are added later will not be encrypted.
/sPerforms the specified operation on folders in the given folder and all subfolders.
/aPerforms the specified operation on files as well as folders. Encrypted files could be decrypted when modified, if the parent folder is not encrypted. To avoid this, encrypt the file and the parent folder.
/IContinues performing the specified operation even after errors have occurred. By default, Cipher stops when an error is encountered.
/fForces the encryption operation on all specified files, even those that are already encrypted. Files that are already encrypted are skipped by default.
/qReports only the most essential information.
/hDisplays files with the hidden or system attributes, which are not shown by default.
/kCreates a new file encryption key for the user running the Cipher command. Using this option causes the Cipher command to ignore all other options.
file_nameSpecifies a pattern, file, or folder.

If you run the Cipher command without parameters, it displays the encryption state of the current folder and any files that it contains. You can specify multiple filenames and use wildcards. You must put spaces between multiple parameters.

Using the Recovery Agent

If the owner's private key is unavailable, a person designated as the recovery agent can open the file using his or her own private key, which is applied to the DRF to unlock the list of file-encryption keys. If the recovery agent is on another computer in the network, send the file to the recovery agent. The recovery agent can bring his or her private key to the owner's computer, but it is never a good security practice to copy a private key onto another computer.

NOTE


The default recovery agent is the administrator of the local computer unless the computer is part of a domain. In a domain, the domain administrator is the default recovery agent.

It is a good security practice to rotate recovery agents. However, if the agent designation changes, access to the file is denied. Therefore, Microsoft recommends that you keep recovery certificates and private keys until you have updated all files that are encrypted with them.

The person designated as the recovery agent has a special certificate and associated private key that allow data recovery. To recover an encrypted file, the recovery agent would do the following:

  1. Use Backup or another backup tool to restore a user's backup version of the encrypted file or folder to the computer on which his or her file recovery certificate is located.
  2. In Windows Explorer, open the Properties dialog box for the file or folder, and on the General tab, click the Advanced button.
  3. Clear the Encrypt Contents To Secure Data check box.
  4. Make a backup version of the decrypted file or folder and return the backup version to the user.

Practice: Encrypting and Decrypting Files

In this practice, you encrypt a folder and its files.

Exercise 1: Encrypting Files

To encrypt a file

  1. Ensure you are logged on as Administrator and in Windows Explorer, on the root of drive C, create the folder Secret and in the folder Secret, create the file File1.txt. Then right-click File1 and click Properties.

    Windows 2000 displays the Properties dialog box with the General tab active.

  2. Click Advanced.

    The Advance Attributes dialog box appears.

  3. Click the Encrypt Contents To Secure Data check box and then click OK.
  4. Click OK to close the File1 Properties dialog box.

    An Encryption Warning dialog box informs you that you are about to encrypt a file that isn't in an encrypted folder. The default is to encrypt the folder and file, but you can also choose to encrypt only the file.

  5. Click Cancel, and then click Cancel again to close the Owner Properties dialog box.
  6. In Windows Explorer, right-click the Secret folder and then click Properties.
  7. Click Advanced.

    The Advance Attributes dialog box appears.

  8. Click the Encrypt Contents To Secure Data check box and then click OK.
  9. Click OK to close the Secret Properties dialog box.

    The Confirm Attribute Changes dialog box informs you that you are about to encrypt a folder. You have two choices: you can encrypt only this folder, or you can encrypt the folder and all subfolders and files in the folder.

  10. Select the Apply Changes To This Folder, Subfolders And Files option, and then click OK.

To verify that the folder's content is encrypted

  1. In the Secret folder, right-click File1 and then click Properties.

    The File1 Properties dialog box appears.

  2. Click Advanced.

    The Advanced Attributes dialog box appears. Notice that the Encrypt Contents To Secure Data check box is selected.

  3. Close the Advanced Attributes dialog box.
  4. Close the Properties dialog box.
  5. Close all windows and log off.

Exercise 2: Testing the Encrypted Files

In this exercise, you log on using the User3 account and then attempt to open an encrypted file. You then try to disable encryption on the encrypted files.

To test an encrypted file

  1. Log on as User3 with a password of password.
  2. Start Windows Explorer and open the file File1.txt in the Secret folder.

    What happens?

    Answer

  3. Close Notepad.

To attempt to disable the encryption

  1. Right-click File1.txt and then click Properties.
  2. Click Advanced.
  3. Clear the Encrypt Contents To Secure Data check box and then click OK.
  4. Click OK to close the File1 Properties dialog box.

    The Error Applying Attributes dialog box appears and informs you that access to the file is denied.

  5. Click Cancel.
  6. Close all open windows and dialog boxes.
  7. Log off as User3 and log on as Administrator.

Exercise 3: Decrypting Folders and Files

In this exercise, you decrypt the folder and file that you previously encrypted.

  1. Start Windows Explorer.
  2. Right-click File1.txt, and then click Properties.
  3. Click Advanced.
  4. Clear the Encrypt Contents To Secure Data check box and then click OK.
  5. Click OK to close the File1 Properties dialog box.
  6. Close Windows Explorer and log off.

Lesson Summary

In this lesson, you learned that EFS provides the core file-encryption technology for storage of NTFS files on disk. EFS allows users to encrypt NTFS files by using a strong public key-based cryptographic scheme that encrypts all files in a folder. Users with roaming profiles can use the same key with trusted remote systems. Backups and copies of encrypted files are also encrypted if they are in NTFS volumes. Files remain encrypted if you move or rename them, and encryption is not defeated by leakage to paging files. Windows 2000 also provides a recovery agent utility. If an owner loses the private key, the recovery agent can still recover the encrypted file.

You also learned that EFS is implemented either from Windows Explorer or from the command line, using commands such as Cipher. EFS can be enabled or disabled for a computer, domain, or organizational unit by resetting recovery policy in the Group Policy console in the MMC.

Finally, you learned that you can use EFS to encrypt and decrypt files on remote computers, but you can't use it to encrypt data that is transferred over the network. Windows 2000 provides network protocols, such as SSL, to encrypt data over the network.



MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net